From 0ca886beaf9d4f76813fc3edc12844f5147479f3 Mon Sep 17 00:00:00 2001
From: hc-github-team-secure-vault-core
 <82990506+hc-github-team-secure-vault-core@users.noreply.github.com>
Date: Fri, 27 Oct 2023 10:28:07 -0400
Subject: [PATCH] backport of commit fb97a459ece4420cdb1237836affbfb40c24ad92
 (#23876)

Co-authored-by: miagilepner <mia.epner@hashicorp.com>
---
 changelog/23874.txt |  3 +++
 vault/acl.go        | 10 ++++++++++
 2 files changed, 13 insertions(+)
 create mode 100644 changelog/23874.txt

diff --git a/changelog/23874.txt b/changelog/23874.txt
new file mode 100644
index 000000000..34ac61d56
--- /dev/null
+++ b/changelog/23874.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+core: fix policies with wildcards not matching list operations due to the policy path not having a trailing slash 
+```
\ No newline at end of file
diff --git a/vault/acl.go b/vault/acl.go
index 87685ba6d..82a2462fe 100644
--- a/vault/acl.go
+++ b/vault/acl.go
@@ -391,6 +391,16 @@ func (a *ACL) AllowOperation(ctx context.Context, req *logical.Request, capCheck
 		}
 	}
 
+	// List operations need to check without the trailing slash first, because
+	// there could be other rules with trailing wildcards that will match the
+	// path
+	if op == logical.ListOperation && strings.HasSuffix(path, "/") {
+		permissions = a.CheckAllowedFromNonExactPaths(strings.TrimSuffix(path, "/"), false)
+		if permissions != nil {
+			capabilities = permissions.CapabilitiesBitmap
+			goto CHECK
+		}
+	}
 	permissions = a.CheckAllowedFromNonExactPaths(path, false)
 	if permissions != nil {
 		capabilities = permissions.CapabilitiesBitmap